Commit 070a6cdf authored by Pablo Panero's avatar Pablo Panero
Browse files

Merge branch 'search' into 'master'

Search

See merge request webservices/cern_search_rest!30
parents 21b5ee04 b700e147
......@@ -261,6 +261,13 @@ If afterwards we query (get,put,delete) for the specific item we will obtain a 4
}
```
### Debugging using a superuser
When creating the instance a user account was granted super user rights. This account is set via the ``ADMIN_USER``
environmental variable, its value will be compared against the user's email returned by the OAuth server.
This user will have the rights to read, update, create and delete any document within the instance indexes.
## ACLs and permissions
Permissions are implemented in a CRUD fashion.
......@@ -387,16 +394,17 @@ gunicorn -b :5000 --certfile=ssl.crt --keyfile=ssl.key cern_search_rest.wsgi
CERN Search specific parameters:
- CERN_SEARCH_REMOTE_APP_RESOURCE: It is the ``Homepage`` value in the OAuth application registration. Note that it
- REMOTE_APP_RESOURCE: It is the ``Homepage`` value in the OAuth application registration. Note that it
should not include nor the protocol (``https://``) nor the ending slash (``\``). Basically, this would be the name of
your server, which if it is deployed in OpenShift would be like ``you-project-name.web.cern.ch``.
- CERN_SEARCH_DEFAULT_INDEX: The default index where to insert data if not index / schema is specified in the request.
- CERN_SEARCH_DEFAULT_DOC_TYPE: The value of the default document type. It must be part of the default index,
- DEFAULT_INDEX: The default index where to insert data if not index / schema is specified in the request.
- DEFAULT_DOC_TYPE: The value of the default document type. It must be part of the default index,
defined in the above variable.
- CERN_SEARCH_INSTANCE: The name of the instance. A folder with this name must exist in
- SEARCH_INSTANCE: The name of the instance. A folder with this name must exist in
``cern_search_rest/modules/cernsearch/jsonschemas/``, therefore, upon index creation an alias will be set for all the
indexes (mappings existing in this folder). This indexes will be the ones over whom searches will be performed.
- ADMIN_USER: Superuser's email account. If it is a non-CERN account, it should go without a domain
(``@cern.ch``).
The rest of the configuration comes from parameters that are configurable through the Invenio Framework or Flask.
The full list of the overwritten ones can be found in ``cern_search_rest/config.py``, nonetheless, if needed
others can be overwritten (check documentation of the corresponding project in the
......
......@@ -104,10 +104,12 @@ def has_update_permission(user, record):
# Allow based in the '_access' key
user_provides = get_user_provides()
# set.isdisjoint() is faster than set.intersection()
update_access_groups = record['_access']['update'].split(',')
if check_elasticsearch(record) and (
(user_provides and not set(user_provides).isdisjoint(set(update_access_groups))) \
or has_owner_permission(user)):
update_access_groups = record['_access']['update']
if check_elasticsearch(record) and user_provides and has_owner_permission(user) and \
(
not set(user_provides).isdisjoint(set(update_access_groups))
or is_admin(user)
):
return True
return False
......@@ -118,10 +120,12 @@ def has_read_record_permission(user, record):
# Allow based in the '_access' key
user_provides = get_user_provides()
# set.isdisjoint() is faster than set.intersection()
read_access_groups = record['_access']['read'].split(',')
if check_elasticsearch(record) and (
(user_provides and not set(user_provides).isdisjoint(set(read_access_groups)))
or has_owner_permission(user)):
read_access_groups = record['_access']['read']
if check_elasticsearch(record) and user_provides and has_owner_permission(user) and \
(
not set(user_provides).isdisjoint(set(read_access_groups))
or is_admin(user)
):
return True
return False
......@@ -132,9 +136,12 @@ def has_delete_permission(user, record):
# Allow based in the '_access' key
user_provides = get_user_provides()
# set.isdisjoint() is faster than set.intersection()
delete_access_groups = record['_access']['delete'].split(',')
if (user_provides and not set(user_provides).isdisjoint(set(delete_access_groups))) \
or has_owner_permission(user):
delete_access_groups = record['_access']['delete']
if check_elasticsearch(record) and user_provides and has_owner_permission(user) and \
(
not set(user_provides).isdisjoint(set(delete_access_groups))
or is_admin(user)
):
return True
return False
......@@ -191,6 +198,14 @@ def allow(user, record):
return True
def is_admin(user):
"""Check if the user is administrator"""
admin_user = current_app.config['ADMIN_USER']
if user.email == admin_user or user.email.replace('@cern.ch', '') == admin_user:
return True
return False
def is_public(data, action):
"""Check if the record is fully public.
In practice this means that the record doesn't have the ``access`` key or
......
......@@ -60,6 +60,7 @@ install_requires = [
'redis>=2.10.0',
'npm>=0.1.1',
'uWSGI>=2.0.16',
'idna>=2.5,<2.7',
]
packages = find_packages()
......
......@@ -338,6 +338,7 @@ objects:
CERN_SEARCH_DEFAULT_INDEX: ${DEFAULT_INDEX}
CERN_SEARCH_DEFAULT_DOC_TYPE: ${DEFAULT_DOC_TYPE}
CERN_SEARCH_INSTANCE: ${SEARCH_INSTANCE}
INVENIO_ADMIN_USER: ${ADMIN_USER}
parameters:
......@@ -353,6 +354,8 @@ parameters:
value: 'test-doc_v0.0.1'
- name: SEARCH_INSTANCE
value: 'cernsearch-test'
- name: ADMIN_USER:
value: 'cernsearch@cern.ch'
- name: ALLOWED_HOSTS
description: "Invenio App allowed hosts. Without protocol (e.g. http) nor salsh ('/') at the end"
value: "['test-cern-search.web.cern.ch']"
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment